More eCOGRA Seals Awarded

**rowmare** · 14th May 2004, 01:48 AM

Originally Posted by GrandMaster

You seem to have a very romantic image of hackers. Hacking and cybercrime is a big business. There have been several worms recently which turned the infected machines into spam spewing zombies. You must have heard of the extortion demands and DDoS attack on gambling sites. Industrial espionage has also moved into the cyberworld. People involved in these activities are doing it for the money, not for any kind of feelings about Microsoft, they may even be grateful for all the security flaws. (I hope you all patched your Windows machines yesterday.) If Linux were easier to hack into, cybercriminals would hack into Linux boxes. There are a lot more computers running Windows, but servers (including web servers, many of which run Linux) are inherently vulnerable, even behind a firewall, because they have to accept connections from other computers. Hacking into a webserver with a high bandwidth connection would be great for a spammer, since he could send out a lot more spam than through a computer with slower connection. Windows is the hackers' favourite target, because it is more hackable.

There are a lot of security concerns regarding linux, unix, etc.
Even a quick search on any search engine would tell you that.

Over than 90% of computers around the world run windows, including many host/servers.

A large percentage of worms, viruses, etal get passed on through email - most notably through outlook express. Why? Because they are so widely used!

The DDos attacks on gambling sites have nothing to do with operating systems per se, and comprise computers regardless of their operating system, be it windows or Linux or Unix or Jimmy's awesome OS.

As for your comment about me having a romantic view of hackers, I don't know how you read that into my post. I regard hackers with contempt, and In no way meant to make them seem noble. (I'm being polite about this, having erased an earlier remark about you bein in need of a proctologist to have your head removed, but thought it too tackless).

**jpm** · 14th May 2004, 04:02 AM

Originally Posted by GrandMaster

No analogy is perfect, but I wanted to address jpm's claim that secrecy is necessary to stop the casinos from manipulating TGTR. Security through obscurity is not an accepted engineering principle. Obviously, if I were designing military communications systems, I would not give the details to the enemy, but the system would be evaluated on the basis that the enemy knows how the system works, just does not have the encryption key. Secrecy is just adds a thin additional layer security, it is not the foundation of security. Since TGTR is meant to reassure players that the game is fair, keeping the process and the results secret is wrong.

The algorithms are MUCH more important in an encrypted communications system than the encryption key. Knowing the algorithms and how they are used in the system would be more valuable than just having the encryption key. Even determining a partial key, or using a totally different key if the original key is poorly chosen, can give you what you want to know, if you have the algorithms and other specs on how the system works. Ask Motorola for all the details on their DVP system for instance and see if they give it to you.

While 'security through obscurity' may not be an 'accepted engineering principle', it is a necessary security principle. This is why security experts and not engineers design security protocols and procedures. While some of these experts may be engineers, not all of them are. And likewise, not all engineers are security experts. In fact, I find many engineers to be the BIGGEST security risks/holes in an organization. But again, this is another apples to oranges comparison that really doesn't have anything to do with the thread.

A more relevent analogy would be the way the airlines and TSA evaluate passengers to determine who is low risk and who is high risk with regards to terrorism. They have a number of factors they use to evaluate the passenger to determine this risk, and they will tell you SOME of the factors, but will never tell you ALL of them or how they are used. If you knew all of this info, you could easily make yourself look less risky than you actually are (assuming you have bad intentions of course).

The same holds true for a casino. If I run a dishonest casino and I want you to come in and certify that my casino plays fair. You tell me the exact methodology ahead of time that you are going to use to determine that my games are fair, I can most certainly manipulate things so that it looks fair when you evaluate it. This is the very reason why when a reputable auditing firm comes in to audit a business, they pull things from the files at random to inspect/confirm. They will tell you ahead of time that they are going to do this, but not what specific things they are going to inspect/confirm. The investors and financiers of that business don't need to know the exact methodology and items that were inspected/confirmed to believe what the auditors report to them, as long as the auditors are reputable and honest. (Now re-read that last sentence replacing the words 'investors/financiers' with 'players', and 'business' with 'casino'.)

Try calling PWC and tell them you want to have them come and audit a company, but before you agree to hire them, you want to know their exact methodology and exactly what items the will want to inspect/confirm and see what they tell you.

(Romware, once again your comments are right on the mark

)

**spearmaster** · 14th May 2004, 06:18 PM

Windows is the hackers' favourite target, because it is more hackable.

While Windows is definitely more hackable (rather, more buggy than any other software available) - that is not the reason it is the hacker's favorite target.

The reason it is the hacker's favorite target is because 90% (btw, that figure is low) of computers use Windows. Thus, if one wanted to spread viruses, it would be far easier to spread through Windows than Linux or any *nix for that matter.

Also, home users generally don't use Linux... and home users obviously know much less about security and firewalls and the like. So the success rate of an infection is generally higher.

**caruso** · 14th May 2004, 11:51 PM

The argument that transparency of the reporting process is by definition impossible because of "manipulation" issues is entirely irrelevant.

"Sorry, but we cannot disclose our processes becuase of security issues."

Fine, I don't have any problem with that - other than that since the results reported from those processes are now also "by definition" totally valueless, the software certification is the same - totally valueless. It makes no difference how much you try to work your way around the issue, that simple fact remains. Uncorrobarated / uncorroboratable claims of this kind are nothing more than fiction.

And I wonder if this is now Ecogra's official stance on the issue? So, no can do. Security issues. It would be ironic if the excuse they found to keep their non-existent "validation process" under wraps was neatly provided for them on the message boards, where casinos and those representing them are called to task on a day by day basis.

**GrandMaster** · 16th May 2004, 10:27 PM

Originally Posted by jpm

The algorithms are MUCH more important in an encrypted communications system than the encryption key. Knowing the algorithms and how they are used in the system would be more valuable than just having the encryption key. Even determining a partial key, or using a totally different key if the original key is poorly chosen, can give you what you want to know, if you have the algorithms and other specs on how the system works. Ask Motorola for all the details on their DVP system for instance and see if they give it to you.

This is not the current accepted thinking. There are many published, publicly available strong algorithms, which you can implement yourself on your computer if you wish. See for example "Applied Cryptography" by Bruce Schneier, or "Practical Cryptography" by Niels Ferguson and Bruce Schneier. Here is a quote from p. 344 of "Secrets and Lies", another excellent book by Bruce Schneier: "The only way to have any confidence in the security of a system is over time, through expert evaluation. And the only way to get that expert evaluation is if the details of a sytem are public. A good security design has no secret in the details. In other words all the security is in the product itself and its changeable secret: the cryptographic keys, the passwords, the tokens, and so forth. The antithesis is security by obscurity. The details of the system are part of security. If a system is designed with security by obscurity, then that security is delicate. As the designers of the once proprietary security systems, the DVD encryption scheme, and the FireWire interface learned, sooner or later the details will be released. A bad system design is secure as long as the details remain secret, but quickly breaks once they are released. A good system design is secure even if the details are public."

Motorola may have good commercial reasons for not revealing the details of DVP to me, but if I were considering a product using DVP for a specific purpose, I would insist on having it evaluated by my own experts, rather than rely on Motorola's word.

Originally Posted by jpm

While 'security through obscurity' may not be an 'accepted engineering principle', it is a necessary security principle. This is why security experts and not engineers design security protocols and procedures. While some of these experts may be engineers, not all of them are. And likewise, not all engineers are security experts. In fact, I find many engineers to be the BIGGEST security risks/holes in an organization. But again, this is another apples to oranges comparison that really doesn't have anything to do with the thread.

You make it sound like engineers cannot be experts.

There is something called security engineering, in fact I have a book by Ross Anderson with this title.

Originally Posted by jpm

A more relevent analogy would be the way the airlines and TSA evaluate passengers to determine who is low risk and who is high risk with regards to terrorism. They have a number of factors they use to evaluate the passenger to determine this risk, and they will tell you SOME of the factors, but will never tell you ALL of them or how they are used. If you knew all of this info, you could easily make yourself look less risky than you actually are (assuming you have bad intentions of course).

You believe everything the government tells you, don't you. Read http://swissnet.ai.mit.edu/6805/stud...apers/caps.htm for an explanation how the passenger profiling can be defeated, and that it is in fact worse than picking out people at random.

Originally Posted by jpm

The same holds true for a casino. If I run a dishonest casino and I want you to come in and certify that my casino plays fair. You tell me the exact methodology ahead of time that you are going to use to determine that my games are fair, I can most certainly manipulate things so that it looks fair when you evaluate it. This is the very reason why when a reputable auditing firm comes in to audit a business, they pull things from the files at random to inspect/confirm. They will tell you ahead of time that they are going to do this, but not what specific things they are going to inspect/confirm. The investors and financiers of that business don't need to know the exact methodology and items that were inspected/confirmed to believe what the auditors report to them, as long as the auditors are reputable and honest. (Now re-read that last sentence replacing the words 'investors/financiers' with 'players', and 'business' with 'casino'.)

Try calling PWC and tell them you want to have them come and audit a company, but before you agree to hire them, you want to know their exact methodology and exactly what items the will want to inspect/confirm and see what they tell you.

There are literally millions of auditors in the world, so the methods of auditing are not exactly secret. When it comes to verifying the fairness of the games and the RNG, the testing could also involve testing randomly chosen sets of results. Just finding a non-random source that would pass several published randomness tests would be hard enough, but it would be even harder for a casino to manipulate the results if it does not even know which results to fix.

**jetset** · 17th May 2004, 06:05 PM

More casinos have passed the eCOGRA inspections - there's a news release elsewhere on Casinomeister with the news today that C.O.N. is now on board.

Briefings for an open audience of providers takes place lunchtime today in Toronto at GIGSE, and there are two other public and open presentations scheduled for later this week by chairman Michael Hirst and CEO Andrew Beveridge.

**jpm** · 17th May 2004, 07:46 PM

Originally Posted by GrandMaster

This is not the current accepted thinking. There are many published, publicly available strong algorithms, which you can implement yourself on your computer if you wish.

True, but they are not published as being the ones used by a particular organization or military unit. If their specific algorithms were being published and/or made public, I'm sure they would have them changed. I'll still maintain that you don't make the specific details of your security system public in the desire to maintain its privacy and security.

Motorola may have good commercial reasons for not revealing the details of DVP to me, but if I were considering a product using DVP for a specific purpose, I would insist on having it evaluated by my own experts, rather than rely on Motorola's word.

I'm sure they'd let you evaluate it, but they wouldn't supply you with their proprietary information detailing every aspect of the system.

You make it sound like engineers cannot be experts.

There is something called security engineering, in fact I have a book by Ross Anderson with this title.

I don't know how you got that out of what I said, I was pretty clear about it. There are engineers who are security experts, and vice versa. Being one does not automatically make you the other. Having worked with many engineers in the past, I can tell you that many of them didn't concern themselves with security. Some would have their passwords written down right next to their workstation or on the monitor, etc, or use no password at all for example.

You believe everything the government tells you, don't you.

Not at all, just using that as an example. I believe its a totally flawed system and if they wanted to profile the right people, it would be very easy to do and I think we all know how to do it. You don't need fancy relational databases and computers snooping into everyone's private life to figure it out.

There are literally millions of auditors in the world, so the methods of auditing are not exactly secret.

Exactly what I said, the methods are not secret, what exactly they are looking at is. Or more accurately, it is random in the example I cited. I think that is probably the best way to do an audit of any sort (other than a full audit of all information). Hopefully that is the way eCOGRA goes about doing it, but we may never know. And since we don't know, we have to run an honest casino, or we'll most likely be found out by whatever method they are using.

In any case, I think we've probably beaten this poor dead horse to a pulp by now. I think that those who are against eCOGRA will not be convinced otherwise by anything else I can say here. eCOGRA's actions will have to speak for them.